Link to home
Start Free TrialLog in
Avatar of Rupert Eghardt
Rupert EghardtFlag for South Africa

asked on

Best firewall recommendation

Hi Guys,

We've been using TMG for the last couple of years and still no issues, however,
The product has been discontinued and as time goes on the risk for attack will increase.

1.  Is hardware firewalls better than software?  Or is this at the administrators discretion?

2.  Any recommendation for new firewall to replace TMG?

3.  Must be compatible with MS Exchange rules, SSL, etc.

I will appreciate some ideas / input?
Avatar of jhyiesla
jhyiesla
Flag of United States of America image

My opinion is that a hardware-base firewall is always better.

Currently we're using a Cisco ASA and really like it, but it does have one flaw. The model we are using doesn't give us much extra security right out of the box. We can add on things like the FirePower module that Cisco has, but I've heard that it can seriously impact your throughput. We've looked seriously at the PaloAlto product. It seems more robust right out of the box with firewall capabilities as well as a more robust built-in security offering.
Well I also recommend going with Hardware Based Firewall.

Well I have been using Sonicwall (now called as Dell-Sonicwall) for more than 8 years in more than 20 locations. There are locations which have Redundant Firewall. It is a complete firewall as well as UTM and It is extremely easy to Manage.
I'm not a firewall expert but I have seen a lot of problems with the sonicwall firewalls with several of my customers. I would avoid like the plague
Avatar of madunix
madunix

Hardware Based Firewall is more powerful...Firewalls may be implemented using HW or SW platforms. Hardware, it will provide good performance with minimal system overhead and faster. Software-based firewalls are generally slower with significant systems overhead; they are (not all) flexible with additional services. They may include content and virus checking, before traffic is passed to users.

I have implemented in many sites HW firewall fortigate with Bundle  AntiX, VPN, DLP, AV... please check http://docs.fortinet.com/d/fortigate-1500d-quickstart
Avatar of Rupert Eghardt

ASKER

Something which I did not mention ... we have two incoming lines (fibre & DSL).
Ideally we would like to setup the DSL as fail-over connection for the fibre link.

We've been using the Cisco RV042 as a fail-over router behind our current firewall.

Is there a way to combine the two into a single firewall / fail-over router?

Any thoughts on Checkpoint firewall?
Good question.  Can you please give us some a list of specs so we can recommend the optimal solution for you ?
e.g.
Bandwidth 100mbitx10mbit
50 users
Filtering for p2p, proxies, porn
vpn tunnels to 20 other offices.
20 remote users.
Specs as follow:

1.  Two incoming lines (fail-over option required)
2.  100Mb fibre on one incoming channel, 20Mb DSL on secondary link
3.  1000Mbs internal network
3.  60 Users
4.  Filter for proxies, p2p, porn and mail if possible (black list, while list mail address option)?
5.  VPN:  No other remote offices
6.  20 Remote users should suffice
Good info!

I'd probably get the TZ400 or TZ500 (for future bandwidth - it only goes up for most companies).
Get the Total Secure package if you want to filter p2p etc.  (the total secure is an annual subscription for support -this includes walking you through the setup - DON'T use the wizards :) ask for help, as well as additional filtering such as p2p, proxies, porn, intrusion protection - they usually have a 2 or 3 year discounted price).
It does support RBL and other mail filtering
The firewall supports load balancing and automatic failover for multiple internet connections.

It comes with 2 global VPN licenses and 2 SSLVPN licenses.   Both are for letting your VPN from home.  You can buy additional.   The SSL is for macs and for PCs that need access from locations such as hotels that might have their own firewall.   For most PC home users I prefer the global VPN license but that is just a matter of preference - you could buy all ssl licenses if you prefer.

You only need enough VPN license to cover the number of people SIMULTANEOUSLY VPNing in remotely.   E.g. you might have 20 people who might vpn but only 4 will ever actually be using the VPN at the same time than a few extra licenses is all you need.
Thank you!

1.  Regarding fail-over for the SonicWall;

It is not necessary to have two identical ASA's (incoming connections)?
  .. As one would be fibre and the other DSL.

2. Does the TZ400 / TZ500 both support MS Exchange RPC/OWA integrated security with SSL?
You can run totally different types of speeds and sync or async throughput.  

You can open the ports on the SonicWALL for Exchange RPC/SSL.   I  typically just use a single cheap cert on the exchange server and use a PS script to assign the cert to all the services.
Hi Boed,

I looked at the spec sheet for the TZ400 / TZ500, but it seems to only have one WAN port, no fail-over port.

I also don't see reference to the fail-over functionality in the spec sheets;

Do I need an additional expansion card?  Or do they call the functionality something else perhaps?
ASKER CERTIFIED SOLUTION
Avatar of boed
boed

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial